anubis | dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818

Analysis

max time kernel
120s
max time network
149s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
03-10-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818.apk
Size

4.8MB
MD5

d98de9f671d6aa0174ec3ea0e0bddfec
SHA1

303e407a5b037edcfe39c56452c96064a0b48120
SHA256

dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818
SHA512

7e322b4acacb0997045842ca9222cbbde8ffda0bd5ac808a0ce975c5fe4c75e13b2deb33cc1f7887e70ed11c2e2697d725a1cccb200d3d0fa1b61adfa25f725b
SSDEEP

98304:i+fYMQWkZNz2GKsglGc+vx0lTeHuCUXW+cs/Re6EDk:iGeFLppgcc+vKlTZGDs/Re6EDk

Score

10^/10

anubis banker collection credential_access discovery evasion execution infostealer persistence stealth trojan

Malware Config

Extracted

Family

anubis

https://google.com

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.tencent.mm

pid process

4256 com.tencent.mm

pid	process
4256	com.tencent.mm

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.tencent.mm/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4256	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4285	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4256	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.tencent.mm

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.tencent.mm

description ioc process

Framework service call android.accounts.IAccountManager.getAccounts com.tencent.mm
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

Contact List
T1636.003

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.contacts/data/phones com.tencent.mm
Reads the content of the calendar entry data. 1 TTPs 1 IoCs
collection

Calendar Entries
T1636.001

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.calendar/events com.tencent.mm
Reads the content of the call log. 1 TTPs 1 IoCs
collection

Call Log
T1636.002

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://call_log/calls com.tencent.mm
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

com.tencent.mm

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm
Acquires the wake lock 1 IoCs

Processes:

com.tencent.mm

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.tencent.mm

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.tencent.mm
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.tencent.mm

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.tencent.mm

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.tencent.mm
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccounts	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.contacts/data/phones	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.calendar/events	com.tencent.mm

description	ioc	process
URI accessed for read	content://call_log/calls	com.tencent.mm

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.tencent.mm

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.tencent.mm

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.tencent.mm

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mm

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.tencent.mm

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

com.tencent.mm
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4256
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4285

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Location Tracking

T1430

Protected User Data

T1636

Calendar Entries

T1636.001

Call Log

T1636.002

Contact List

T1636.003

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_mph_dex/classes.dex

Filesize
10.6MB

MD5
302e71be0e6d47632c3769c72da585b7

SHA1
124f1bb806acff41157abef543a838ff0ce53b07

SHA256
66fbdef34021b43ecf328360a6e50ed2fd2fb6c2d568e15775027234649c1a6e

SHA512
8743061a172d844b0d397930c17c4153df4a895cfe2845d58fea3fcde4ce66aa94d1ba1d5a0ae4859772b57b7fb4c777cfa4c2681c3309ceff450cec234ce7b1

Download Submit
/data/data/com.tencent.mm/app_mph_dex/oat/classes.dex.cur.prof

Filesize
586B

MD5
39dc1f11c11b25386fd2eb93a5eceb59

SHA1
f2368f267636abc29e1a24192233c109505d2c4e

SHA256
1dba607e43412210e65297287177563e2779e855e65685e2ea5537783c4b6f86

SHA512
0c3d45b13b43eaadf8c5ff02868fadbf01802d8256895d5a46c08c173d9c6d696f65cf6e041df52bebc2cf2a99812c2b70707e253843dd514d5bf6004ad41899

Download Submit
/data/data/com.tencent.mm/databases/Dname-journal

Filesize
512B

MD5
0ebda0f3e9cd51c3c264135187203ff7

SHA1
5b01202d45340ece87fa37987509a4eeaa5360a0

SHA256
5cb4cedb481f0438aad7291c22b691ca3e47dd01e7610adcd0ec682196fec722

SHA512
5e7d23ddd1be1e9b86a3de4aa93e6b97270fa70eb45a179c7e9e18c861962be5b1bef9906be7fde8952fd57e27c9c6d486d36061877462b0dd68c783d4eff5a7

Download Submit
/data/data/com.tencent.mm/databases/Dname-wal

Filesize
60KB

MD5
bb6885af881d3ba26b49fef4e989d1c7

SHA1
f0956c0b50f311515fd0829185321ba1b9064d0f

SHA256
a587d943faddbdfc29c1fe63c2e4bc01d335a12f73d2d50fbd6e9fb1c45eb24c

SHA512
3f1e9f2fb2e4a81053a42494d2bd603d396f32129a2997503f7d38780514f98c230c39aee336ab0ff2952aa3cbdd2e6add318c9f9fa5bf60e2da3944a64905f8

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
512B

MD5
a5276940911d539f55515d5b514dad0a

SHA1
a7ea7145e56b7175ff6de9cc8138717cbbe7e058

SHA256
192778a54a0e1dd27a577d2cc6accda45d1e528fcba61b031e19a15e4b0ef6a6

SHA512
0fab3dcf6a424891b82228451866a01fec2e35ae89b19da31e121788092abad101b252fb9834922674204c795926494d927c919fd6827aa73957937b22fcc4cf

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-wal

Filesize
44KB

MD5
fc5ed16f725fd5825370a4699529c2a6

SHA1
77c44196138583ff4e8dd012cd64539a19a79fb7

SHA256
54b4d0a4004b095f930504fcccdee20249f3b651c579e621c7d24766583a169e

SHA512
918ccaa04c0bcf926ee32bb7fbc66a96418eb98fac0bfda0c0e67c04ca3e4cd4a6afbed6b6a68bea4022010fb9b528bf97330c715a65306b915e8e32912f7485

Download Submit
/data/data/com.tencent.mm/files/CallLogs.txt

Filesize
3B

MD5
58e0494c51d30eb3494f7c9198986bb9

SHA1
cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d

SHA256
37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570

SHA512
b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
116B

MD5
624e826ba2f53df001a0ac2a07cee91b

SHA1
ca00efb564395d076eedda03665275303dc2449c

SHA256
a84a41c36b92f52a3563b2a268ac8258fad5470fbf799483817a6cbf423fe30c

SHA512
08a13f429d218277a8a88888b52b01e0547d6a5095f222ce2bc87a95c3bb4b29c87b71e7912cc407c52042dedc5274653a9fdbad24a4bed5ebcc59fcfaf949c8

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
126B

MD5
9d5b9e6a73dd329fc8b031f3ca2ffcec

SHA1
077ce59bc125cada3e2a8460b67dfacead12f5b3

SHA256
e313d802e98aaf6a3794e584dd081d0774174637838ab8e3c2ca4c5908df1c89

SHA512
25f470317e42144cdefe885e9de17205d92251360cd23b9f8c0dc8b3d70a93eae4687d27412ea189adaaf4ec491e3eafef05e8a2823e58311aab64e8c5cbf202

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
116B

MD5
cb6a279614da30384426937f5740338b

SHA1
13b0710f5ae6781ef7798e0c786fa5a75f4c5283

SHA256
b4b193f13caf77fc484254b660f4cfb74958357c4ff8dc7b8101413cff120fc2

SHA512
5865c715b4af90ec33673738869bdf757920ce80c11012ae162714c1e45889353973fcee1756e54dfa97e4252bbc8eb96bcec94fb2d032ab1bd65ec26e76eae4

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
126B

MD5
0da155ccb7d858919b2193aaa4e1e681

SHA1
9c0ba3a0ca15fb95d6fcbb5157d33846603fe5ed

SHA256
81a7281da5e288321c53021a77ac8e4866c30e4d88903a304b93a49c216d90df

SHA512
fb8c6c670e81a8dd34560599f317ee557cff8f283f45380ed33ffbe303d62398cdb5596e543725980c5afc4197e89206cc04154048eb55b8486e6421828ffe4c

Download Submit
/data/data/com.tencent.mm/files/Tree.txt

Filesize
281B

MD5
f09b17fa60ecbab295508b8eef513af5

SHA1
ac46448901d131ef4605e576fb2d4cfcc3c9f688

SHA256
c514bcc94fff664ddd9efa22d5662128c24c11d061061e14d02b3e61db291a07

SHA512
054b098a272e331f871db61e33a94765e44836c81dd27ba44a041861f0e954c4ab7eda3b8391cf172738b5f30d34605d9ff25d3589ec4fe7ac394d9d32f8fa82

Download Submit
/data/data/com.tencent.mm/files/accounts.txt

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
/data/data/com.tencent.mm/files/netinfo.txt

Filesize
609B

MD5
48e6941039931db6708677e86bff2252

SHA1
868b3cb565bddcafb1f7543b0aba509eb7afe66c

SHA256
ba0c7efd1b07b03373642ce076fb5d7eb802f6a0ba0e97313f4dbbd40052ec23

SHA512
33cad4578700824c9745cc2c85503698b52991180f75df63a810a2033fd32b7413583815a94f7f4ce2787228ffee576ef794dd9074ec8edf4e148ffe14431282

Download Submit
/data/data/com.tencent.mm/files/pkinfo.txt

Filesize
5KB

MD5
b347f6188ee025209e17f01cfa375d5a

SHA1
098682537f524c32d6be1e2a99b6a8a3e1b320d8

SHA256
7fece2f8e545a48c3b15c5cafa9a903c9bbe86de0320da217e856566bee13bec

SHA512
88a026ab14001c6ad2c51432870691bcc2c95d2e1497380af1b1ce1c80bbbcc94a4f6bccee31a9edfec3ccc634a89f0b910b0ee0b9a75cba6be555ea37d52ffa

Download Submit
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex

Filesize
10.6MB

MD5
f81febe1ce21523f67265f756a5ec62e

SHA1
b288942255fe4c18a775125a553746985a95db27

SHA256
598cdb3ba743f75ef70bf40cf1a6cfa8bea8d6e5b47c208b7c6bcfce9d7a64e2

SHA512
4fc06dc8e731e4bd7f95226f8a71585fd9c5365ef26d1e2bacdb694c9f04a49f210c30fbcb60db2e4c0d352a38645dbad6aa448ecd93bddbc35d69aa44352864

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-03.txt

Filesize
12B

MD5
a9256f55737b655c8cff95418411997c

SHA1
d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24

SHA256
bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412

SHA512
10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-03.txt

Filesize
12B

MD5
e48057c3603c907cacbe1568a7dbfc41

SHA1
6e100086b53e20e499a9be069aa1b452faf82ba3

SHA256
4b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e

SHA512
787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-03.txt

Filesize
267B

MD5
cb0b0c34caf7d1ecdf4b2c506fd566d3

SHA1
80f7d29156890eca87a10ca1b8fdece867d9b7cc

SHA256
a8012788df8b83994d196fc55884affe5ccbcc27de5550959b57cec030d3c1ef

SHA512
a6d462191b37097a75d0c0a9328e94232981d69ee610ec9fd011bbf636bebeff6bc9a51d8a3936474c1295dab0a7257ee1122c41f926f090e7f2428c2626f484

Download Submit